bind8 .net forwarding problem

Michael Sinatra michael at rancid.berkeley.edu
Fri Sep 26 21:41:04 UTC 2003


Hi,

I had wanted to implement delegation-only for COM and NET in an anycast
DNS infrastructure that had a mix of BIND8 (usually 8.4.1-P1) and BIND9
servers (were running 9.2.2, now 9.2.3rc4).  Since there is no patch for
BIND8, my initial idea was to have the BIND8 servers forward queries for
COM and NET to the BIND9 servers.  This seems to be similar to what the
ISC web page at <http://isc.org/products/BIND/delegation-only.html>
suggests for BIND8 installations.  I realized that it was clunky, but had
planned it for a short-term solution.

I ran into a really ugly glitch while I was testing this setup.  If I
configured my server to forward COM and NET, and then did an 'ndc reload,'
the nameserver freaked out when I tried to resolve something recursively,
logging a whole bunch of the following messages:

26-Sep-2003 14:18:47.729 warning: sysquery: no addrs found for root NS
(A.ROOT-SERVERS.NET)
26-Sep-2003 14:18:47.729 warning: sysquery: no addrs found for root NS
(A.ROOT-SERVERS.NET)
26-Sep-2003 14:18:47.729 warning: sysquery: no addrs found for root NS
(B.ROOT-SERVERS.NET)
26-Sep-2003 14:18:47.729 warning: sysquery: no addrs found for root NS
(B.ROOT-SERVERS.NET)
26-Sep-2003 14:18:47.729 warning: sysquery: no addrs found for root NS
(C.ROOT-SERVERS.NET)
26-Sep-2003 14:18:47.729 warning: sysquery: no addrs found for root NS
(C.ROOT-SERVERS.NET)
26-Sep-2003 14:18:47.730 warning: sysquery: no addrs found for root NS
(D.ROOT-SERVERS.NET)
26-Sep-2003 14:18:47.730 warning: sysquery: no addrs found for root NS
(D.ROOT-SERVERS.NET)
26-Sep-2003 14:18:47.730 warning: sysquery: no addrs found for root NS
(E.ROOT-SERVERS.NET)
26-Sep-2003 14:18:47.730 warning: sysquery: no addrs found for root NS
(E.ROOT-SERVERS.NET)
26-Sep-2003 14:18:47.730 warning: sysquery: no addrs found for root NS
(F.ROOT-SERVERS.NET)
26-Sep-2003 14:18:47.730 warning: sysquery: no addrs found for root NS
(F.ROOT-SERVERS.NET)
26-Sep-2003 14:18:47.731 warning: sysquery: no addrs found for root NS
(G.ROOT-SERVERS.NET)
26-Sep-2003 14:18:47.731 warning: sysquery: no addrs found for root NS
(G.ROOT-SERVERS.NET)
26-Sep-2003 14:18:47.731 warning: sysquery: no addrs found for root NS
(H.ROOT-SERVERS.NET)
26-Sep-2003 14:18:47.731 warning: sysquery: no addrs found for root NS
(H.ROOT-SERVERS.NET)

I was able to repeatedly replicate this problem by creating a slimmed-down
configuration (see at the END of this message for the named.conf and
root.cache files).  When I started the nameserver for the first time, it
worked fine, resolving hosts in all TLDs I tried and properly forwarding
the COM and NET hosts.  Then I did an 'ndc reload' and the problem
immediately came back the next time I did a recursive query that wasn't
already cached.  I was able to replicate this over and over again using
BIND 8.4.1-P1 and 8.3.6-REL on a FreeBSD 4-STABLE (cvsupped and rebuilt a
few days ago) host.

I am assuming the problem has to do with the forwarding of NET, and that
causes the server to get confused about where the root servers are (since
<X>.root-servers.net is in the NET TLD), but I haven't done enough
testing.

Ironically, this forwarding problem doesn't occur with BIND 9.  But then
again, with the patched version of BIND 9, I can just use delegation-only.
In the end, I upgraded all of the anycast servers to BIND 9 and configured
them for delegation-only for COM and NET, which was probably the Right
Thing To Do.

I am planning to send this to bind-bugs, but wanted to see if others here
were seeing the same thing, or if I am just completely nuts.

Here's the named.conf that I was able to use for replicating the problem
(note that there's an include statement for the logging config at the
end--if anyone thinks that's relevant, I can pass it on):

#
options {
        directory "/var/namedb";
};

zone "." {
        type hint;
        file "root.cache";
};

#  Thank you VeriSign!

zone "com" {
        type forward;
        forward first;
        forwarders {
                204.152.184.76; // I also tried a local BIND 9 server
                };              // here.  Both exhibited the same problem.
};


zone "net" {
        type forward;
        forward first;
        forwarders {
                204.152.184.76; // I also tried a local BIND 9 server
                };              // here.  Both exhibited the same problem.
};

include "/var/namedb/named.logging";

####################################

and here is the root.cache file:

;
; root.cache (named.ca, named.root)
; Created by michael at socialdistortion.net.berkeley.edu on Mon Sep 22 16:03:45 PDT 2003
; Automatically built by cachebuild, any changes you make may go away.
;

;
; formerly ns.internic.net
;
.                        3600000  IN  NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
;
; formerly ns1.isi.edu
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     128.9.0.107
;
; formerly c.psi.net
;
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
;
; formerly terp.umd.edu
;
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90
;
; formerly ns.nasa.gov
;
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
;
; formerly ns.isc.org
;
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
;
; formerly ns.nic.ddn.mil
;
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
;
; formerly aos.arl.army.mil
;
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53
;
; formerly nic.nordu.net
;
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
;
; Verisign GRS
;
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
;
; housed in LINX operated by RIPE NCC
;
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
;
; ICANN
;
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     198.32.64.12
;
; housed in JAPAN operated by WIDE
;
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
; End of File

###########################

michael



More information about the bind-users mailing list